truststore vs keystore in layman terms

Question

I am trying to understand the difference between truststores and keystores in layman terms. How are they related to cacerts in java? I have gone through lot of threads but still cannot understand when to use a keystore and when to use a truststore.

When I try to make an API call to a web service via https, I keep on getting an SSL certificate issue. The HTTPS service is using a self signed certificate and I imported the certificate to my cacert, still the issue persists. Where do I have to import this server certificate? If the import solves the issues, do I need to import the certificate in other environments when i deploy the application?

Our application uses a JKS file, what is needed of it? When I view the JKS file, i see there are 2 certificates in it. Why do we use it?

For truststore, I see people saying trusting ourself. What are we trusting ourself with? Do the truststore uses any certificates? When should I be using a keystore versus a truststore?

Any help in understanding this would be really helpful to me.

Answer 1

Truststore - a container that holds certificates that should be accepted aka trusted by application. This can be eg self-signed certificate or certificate signed by CA authority that is not on global list CA's. For example, a company can have its own CA to allow to use their own certificates. Adding such CA to your truststore (app or installing it in the system) will validate all other certificates signed by CA.

Keystore - container that holds private keys. This allows application to accept communication initialized using corresponding public key.

In Java, they can be both in JKS format and they are "technically" the same thing. Due to security reasons, you separate those logically into 2 containers.

What it seems that you might not know, is that PKI works in a way that you always have pair of unique public key and private key. Public key is used to ENCRYPT communication while private key is used to DECRYPT it. When client connects via SSL channel, it uses public key to establish key exchange. If the server identity is legit, it will have private key and will be able to proceed with exchange.

Now to your question

Where do I have to import this server certificate? If the import solves the issues, do I need to import the certificate in other environments when i deploy the application?

Server must have private key in order to do a successful SSL handshake. Also it introduces itself with corresponding public key (that is in certificate). If that certificate is signed by world wide trusted CA - nothing has to be done - certificate will be trusted. If it is not (self-signed, private CA) than it must be added to clients trust store to tell the application that this particular certificate should be trusted despite no public authority assurance.

If the import solves the issues, do I need to import the certificate in other environments when i deploy the application?

Every system must be informed that it should trust that particular certificate. If client application is proprietary to you, you can distribute truststore along with it.

For truststore, I see people saying trusting ourself. What are we trusting ourself with?

By adding given certificate to "trust list" - trust store. It literally says, that it is ok to connect to server that introduces itself with that particular certificate (still it has to have private key to authenticate itself)

Do the truststore uses any certificates?

Trust store is just a container.

When should I be using a keystore versus a truststore?

Already answered, but - use trust store to say that connecting using some public key is secure despite fact it is not signed by global CA. Use keystore on server side to allow to do proper handshake.